├── Rakefile ├── Gemfile ├── spec └── filters │ └── virustotal_spec.rb ├── DEVELOPER.md ├── .travis.yml ├── LICENSE ├── logstash-filter-virustotal.gemspec ├── lib └── logstash │ └── filters │ └── virustotal.rb └── README.md /Rakefile: -------------------------------------------------------------------------------- 1 | require "logstash/devutils/rake" 2 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | gemspec 3 | gem "logstash", :github => "elasticsearch/logstash", :branch => "1.5" 4 | -------------------------------------------------------------------------------- /spec/filters/virustotal_spec.rb: -------------------------------------------------------------------------------- 1 | require "logstash/devutils/rspec/spec_helper" 2 | require "logstash/filters/example" 3 | 4 | -------------------------------------------------------------------------------- /DEVELOPER.md: -------------------------------------------------------------------------------- 1 | # logstash-filter-example 2 | Example filter plugin. This should help bootstrap your effort to write your own filter plugin! 3 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | { 2 | "sudo": false, 3 | "jdk": "oraclejdk8", 4 | "language": "ruby", 5 | "cache": "bundler", 6 | "rvm": "jruby-1.7.25", 7 | "before_install": [], 8 | "script": [ 9 | "bundle exec rspec spec" 10 | ], 11 | "group": "stable", 12 | "dist": "precise", 13 | "os": "linux" 14 | } 15 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2012-2015 Elasticsearch 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /logstash-filter-virustotal.gemspec: -------------------------------------------------------------------------------- 1 | Gem::Specification.new do |s| 2 | s.name = 'logstash-filter-virustotal' 3 | s.version = '0.1.2' 4 | s.licenses = ['Apache License (2.0)'] 5 | s.summary = "This filter queries the Virustotal API" 6 | s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program" 7 | s.authors = ["gh-flo-vall","CoolAcid"] 8 | s.require_paths = ["lib"] 9 | 10 | # Files 11 | s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT'] 12 | # Tests 13 | s.test_files = s.files.grep(%r{^(test|spec|features)/}) 14 | 15 | # Special flag to let us know this is actually a logstash plugin 16 | s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" } 17 | 18 | # Gem dependencies 19 | s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99" 20 | s.add_development_dependency 'logstash-devutils' 21 | end 22 | -------------------------------------------------------------------------------- /lib/logstash/filters/virustotal.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | require "logstash/filters/base" 3 | require "logstash/namespace" 4 | require "json" 5 | 6 | # This example filter will replace the contents of the default 7 | # message field with whatever you specify in the configuration. 8 | # 9 | # It is only intended to be used as an example. 10 | class LogStash::Filters::VirusTotal < LogStash::Filters::Base 11 | 12 | config_name "virustotal" 13 | 14 | # Your VirusTotal API Key 15 | config :apikey, :validate => :string, :required => true 16 | 17 | # For filed containing the item to lookup. This can point to a field ontaining a File Hash or URL 18 | config :field, :validate => :string, :required => true 19 | 20 | # Lookup type 21 | config :lookup_type, :validate => :string, :default => "hash" 22 | 23 | # Where you want the data to be placed 24 | config :target, :validate => :string, :default => "virustotal" 25 | 26 | # Timeout waiting for resopnse 27 | config :timeout, :validate => :number, :default => 5 28 | 29 | public 30 | def register 31 | require "faraday" 32 | end # def register 33 | 34 | public 35 | def filter(event) 36 | 37 | baseurl = "https://www.virustotal.com" 38 | 39 | if @lookup_type == "hash" 40 | url = "/vtapi/v2/file/report" 41 | elsif @lookup_type == "url" 42 | url = "/vtapi/v2/url/report" 43 | elsif @lookup_type == "ip" 44 | url = "/vtapi/v2/ip-address/report" 45 | end 46 | 47 | connection = Faraday.new baseurl 48 | begin 49 | response = connection.get url do |req| 50 | if @lookup_type == "ip" 51 | req.params[:ip] = event.get(@field) 52 | else 53 | req.params[:resource] = event.get(@field) 54 | end 55 | req.params[:resource] = event.get(@field) 56 | req.params[:apikey] = @apikey 57 | req.options.timeout = @timeout 58 | req.options.open_timeout = @timeout 59 | end 60 | if response.body.length > 2 61 | result = JSON.parse(response.body) 62 | event.set(@target, result) 63 | # filter_matched should go in the last line of our successful code 64 | filter_matched(event) 65 | end 66 | 67 | rescue Faraday::TimeoutError 68 | @logger.error("Timeout trying to contact virustotal") 69 | 70 | end 71 | 72 | end # def filter 73 | end # class LogStash::Filters::Example 74 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Logstash Plugin 2 | 3 | This is a plugin for [Logstash](https://github.com/elastic/logstash). 4 | 5 | It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way. 6 | 7 | ## Documentation 8 | 9 | Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/). 10 | 11 | - For formatting code or config example, you can use the asciidoc `[source,ruby]` directive 12 | - For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide 13 | 14 | ## Need Help? 15 | 16 | Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum. 17 | 18 | ## Developing 19 | 20 | ### 1. Plugin Developement and Testing 21 | 22 | #### Code 23 | - To get started, you'll need JRuby with the Bundler gem installed. 24 | 25 | - Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example). 26 | 27 | - Install dependencies 28 | ```sh 29 | bundle install 30 | ``` 31 | 32 | #### Test 33 | 34 | - Update your dependencies 35 | 36 | ```sh 37 | bundle install 38 | ``` 39 | 40 | - Run tests 41 | 42 | ```sh 43 | bundle exec rspec 44 | ``` 45 | 46 | ### 2. Running your unpublished Plugin in Logstash 47 | 48 | #### 2.1 Run in a local Logstash clone 49 | 50 | - Edit Logstash `Gemfile` and add the local plugin path, for example: 51 | ```ruby 52 | gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome" 53 | ``` 54 | - Install plugin 55 | ```sh 56 | # Logstash 2.3 and higher 57 | bin/logstash-plugin install --no-verify 58 | 59 | # Prior to Logstash 2.3 60 | bin/plugin install --no-verify 61 | 62 | ``` 63 | - Run Logstash with your plugin 64 | ```sh 65 | bin/logstash -e 'filter {awesome {}}' 66 | ``` 67 | At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash. 68 | 69 | #### 2.2 Run in an installed Logstash 70 | 71 | You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using: 72 | 73 | - Build your plugin gem 74 | ```sh 75 | gem build logstash-filter-awesome.gemspec 76 | ``` 77 | - Install the plugin from the Logstash home 78 | ```sh 79 | # Logstash 2.3 and higher 80 | bin/logstash-plugin install --no-verify 81 | 82 | # Prior to Logstash 2.3 83 | bin/plugin install --no-verify 84 | 85 | ``` 86 | - Start Logstash and proceed to test the plugin 87 | 88 | ## Contributing 89 | 90 | All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin. 91 | 92 | Programming is not a required skill. Whatever you've seen about open source and maintainers or community members saying "send patches or die" - you will not see that here. 93 | 94 | It is more important to the community that you are able to contribute. 95 | 96 | For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file. 97 | --------------------------------------------------------------------------------